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CLAIMS 



What is claimed is 



1. A computed- implemented method for control ing 

access to documents during a workflow, comprising: 

upon entry J of a base document into a workflow, 
creating a working copy of the base document; 

selectively providing a user access to either the 
base document or thle working copy of the base document 
depending upon the identity of a user; and 

selectively providing access to perform 
operations on the | working copy of the base document 
depending upon the identity of a user. 



2 . 



storing 
the base document, 
access controls on 
copy of the base do 

storing £ 
the base document 



The methoft of claim 1, further comprising: 

ajccess control list data in relation to 



the access control list data defining 
performing operations of the working 
ument ; and 

ecurity descriptor data in relation to 
and the working copy of the base 
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document, the- . security, - descriptor .data defining ..access 
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controls on readinc 
of the base documert 



the base document and the working copy 



wo r k i ng c opy o f 
identity of a user, 



3. The method of claim 2, wherein the step of 
selectively providing access to perform operations on the 

the base document depending upon the 
further comprises : 
determining using the access control list data 
stored in relatior. to the base document that a user has 
permission to perform an operation on the copy of the base 
document ; and 

allowing the user to perform the operation on the 
copy of the base document . 

4. The methdd of claim 2, wherein the step of 
selectively providing access to perform operations on the 
working copy of tme base document depending upon the 
identity of a user, further comprises: 

determining using the access control list data 
stored in relation to the base document that a user does 
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_not_„ have, permission _ to_ jfperfprm _an_ operation, on .the copy_ of 
the base document ; and 

denying the ufser access to perform the operation 
on the copy of the base document 



The method of claim 2, wherein the access control 



list data comprises 



identity of a user, 

referencing 



information identifying for each of a 



plurality of operations, the set of users that have 
permission to perform the operation, and said act of 
10 selectively providing access to perform operations on the 
working copy of tte base document depending upon the 

:urther comprises: 

the information identifying for each 
of a plurality of operations, the set of users that have 
15 permission to perform the operation; and 

er is in the set of users that have 



if the ue 
permission to perfc 
the operation. 



20 6 . 



rm the operation, providing access to 



The method 



list data comprises 
plurality of operkt 



of claim 2, wherein the access control 
information identifying for each of a 
:ions, the set of users that have 
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permission to perform the operation, and said act_ of 
selectively providing access to perform operations on the 
working copy of the base document depending upon the 
identity of a user, further comprises: 

referencing the information identifying for each 
of a plurality of operations, the set of users that have 



permission to perform th 
if the user is 



2 operation; and 
not in the set of users that have 



permission to perform t|ie operation, denying access to the 
10 operation. 



15 



20 



7. The method of claim 5, wherein the set of users 

are defined in terms of the roles that have permission to 
perform the operatiom, and said act of referencing the 
information identifying for each of a plurality of 
operations, the set/ of users that have permission to 



perform the operatio 
resolving 



, further comprises: 
Eor the user the set of roles to which 
the user has been assigned; and 

determining using the set of roles to which the 
jned and the set of users defined in 
that have permission to perform the 



user has been assi 
terms of the roles 
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operation, whether the uier has_ permission to perform the 
requested operation. / 

8. The method of claim 2, wherein the step of 
selectively providing a user access to either the base 
document or the working /copy of the base document depending 
upon the identity of a user, further comprises: 

determining using the security descriptor data 
stored in relation td the base document and the working 
copy document, that /a user has permission to read the 
working copy of the base document; and 

providing uhe user access to the working copy of 
the base document . I 

9. The methop of claim 2, wherein the step of 
selectively providing a user access to either the base 
document or the working copy of the base document depending 
upon the identity of a user, further comprises: 

determining using the security descriptor data 
stored in relation) to the base document and the working 
copy document, than a user does not have permission to read 
the working copy ofl the base document; and 
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denying the user access to the base document, 



10. The method df claim 2, wherein the security 

descriptor data compri/ses information identifying the set 
of users that have permission to read each of the base 
document and the worMing copy of the base document, and 
said act of selectively providing access to either the base 
document or the working copy of the base documents 

ity of the user, further comprises: 
the information identifying the set 
>ermission to read each of the base 



depending on the ident 
10 referencing 
of users that have 



document and the working copy of the base document; and 

if the usei: is in the set of users that have 
permission to read tine working copy of the base document, 
is providing access to the working copy of the base document . 



11. The methoa of claim 10, wherein the set of users 

are defined in terms of the roles that have permission to 
read each of the b#se document and the working copy of the 



20 base document, and 



said act of referencing the information 



identifying the se : of users that have permission to read 
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the user has been ass:. 



10 



each of the base document and the working copy of the base 
document , further comprises : 

resolving for the user the set of roles to which 
.gned; and 

determining/ using the set of roles to which the 
user has been assigned and the set of user defined in terms 
of the roles that have permission to read each of the base 
document and the working copy of the base document, whether 
the user has permission to read the base document or the 
working copy of the base document . 



15 



20 



12. A computier-readable media having stored thereon 
computer -executable instructions for performing the steps 
recited in claim 

13. A systlbm for providing document isolation in a 
workflow environment, comprising: 

a processor, wherein said processor is operable 
to execute instructions for performing the following acts: 

maintaining for a base document undergoing a 



publishing work 



low, a copy of the base document; 
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maintaining, access control data in relation to 
the base document and the copy of the base document; and 

determining based on the access control data, 
whether a user may access the base document or the copy of 
the base document . / 

14. The system/ of claim 13, wherein the access 
control data comprises security descriptor data identifying 
the set of users tliat have permission to read the base 
document and the copy of the base document . 

15. The system of claim 14, wherein said processor is 
operable to execute instructions for performing the 
following further ajcts : 

referencing the security descriptor data; and 
determining that a user should be directed to the 

copy of the base pocument based on the security descriptor 

data. / 

16. The system of claim 15, wherein the security 
descriptor data /identifies a set of roles corresponding to 
the set of users that have permission to read the base 
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document _and the copy ofj the base document, and wherein 
said processor is operable to execute instructions for 
performing the further act of determining the set of roles 
that a user has been assigned. 

17. The system /of claim 13, wherein the access 
control data comprises/ access control list data identifying 
the set of users that /have permission to perform operations 
on the copy of the base document . 

18. ■ The system /of claim 17, wherein said processor is 
operable to execute instructions for performing the 
following further acts: 

referencing the access control list data; and 
determining that a user should be allowed to 

perform an operation on the copy of the base document based 

on the access control list data. 

19. The system of claim 18, wherein the access 
control list data identifies a set of roles corresponding 
to the set ofl users that have permission to perform 
operations on the copy of the base document, and wherein 
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said processor is operable to execute instructions for 



performing the further 



act of determining the set of roles 



that a user has been assigned. 



5 20. A method off updating access controls to reflect 

the addition of a new operation that may be performed on a 
copy of a base document, in a system wherein access to 
operations to be performed on a copy of the base document 
are controled using an access control list which identifies 
io the operations that may be performed and the roles that a 
user must have to/ access those operations, comprising: 

assigning a unique identifier to the new 

operation; 

updating the access control list to include an 
15 entry for the /unique identifier for the new operation; 

updating the access control list to include an 
entry identifying the roles that have access to the new 
operation . 
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